[dns-operations] TLSA records on MX

Phil Pennock dnsop+phil at spodhuis.org
Mon Jun 10 22:40:49 UTC 2013

On 2013-06-10 at 14:56 +0000, Zuleger, Holger, Vodafone DE wrote:
> The Certificate provided by spodhuis.org authenticates the target mx.spodhuis.org,
> but not the query domain (which is spodhuis.org).

To be clear: for mail delivery, you want:

The SMTP case is not quite the same as the SRV case, thus there being a
distinct draft to cover it.

The SRV text doesn't quite match MX practice; historically, there's been
*no* default verification of certificate hostname for MX delivery,
because nobody could agree even on what should be, or could safely be,

The server for spodhuis.org also handles a number of other domains and
it would be inappropriate to pick one, or to reissue the cert as domains
come and go.  This is the fundamental issue which led to solution of
validating the _target_ domain.

In the text you cite, the "MUST" is for clients that cannot perform
DNSSEC validation, to attempt to preserve backwards compatibility for
some fairly common cases where there's a 1:1 mapping between domain at
hostname (target domain) servicing the domain.

The SMTP draft references only chapter 3 of the SRV draft.


More information about the dns-operations mailing list